Build: Introduce CONFIG_TFM_BOOT_STORE_MEASUREMENTS
Use the CONFIG_TFM_BOOT_STORE_MEASUREMENTS CMake variable instead of
MCUBOOT_MEASURED_BOOT to control measured boot mechanisms in
each boot stages.
The form (encoding) and amount of the saved measured boot data
can vary depending on the number of boot stages. This variable
can be used the serve the different cases.
Change-Id: I1cdb7372d753228f4b422e12c3f0f90594a2739e
Signed-off-by: David Vincze <david.vincze@arm.com>
diff --git a/bl2/ext/mcuboot/CMakeLists.txt b/bl2/ext/mcuboot/CMakeLists.txt
index 0ffdfe0..e3d3315 100644
--- a/bl2/ext/mcuboot/CMakeLists.txt
+++ b/bl2/ext/mcuboot/CMakeLists.txt
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -12,6 +12,10 @@
set(MCUBOOT_KEY_ENC "${MCUBOOT_PATH}/enc-rsa2048-pub.pem" CACHE FILEPATH "Path to key with which to encrypt binary")
+if (CONFIG_TFM_BOOT_STORE_MEASUREMENTS)
+ set(MCUBOOT_MEASURED_BOOT ON)
+endif()
+
add_subdirectory("${MCUBOOT_PATH}/boot/bootutil" bootutil)
target_include_directories(bootutil
diff --git a/bl2/ext/mcuboot/mcuboot_default_config.cmake b/bl2/ext/mcuboot/mcuboot_default_config.cmake
index fb67ab5..3f0ad2d 100644
--- a/bl2/ext/mcuboot/mcuboot_default_config.cmake
+++ b/bl2/ext/mcuboot/mcuboot_default_config.cmake
@@ -34,7 +34,6 @@
set_property(CACHE MCUBOOT_ALIGN_VAL PROPERTY STRINGS "1;2;4;8;16;32")
set(MCUBOOT_DIRECT_XIP_REVERT ON CACHE BOOL "Enable the revert mechanism in direct-xip mode")
-set(MCUBOOT_MEASURED_BOOT ON CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token")
set(MCUBOOT_HW_ROLLBACK_PROT ON CACHE BOOL "Enable security counter validation against non-volatile HW counters")
set(MCUBOOT_ENC_IMAGES OFF CACHE BOOL "Enable encrypted image upgrade support")
set(MCUBOOT_ENCRYPT_RSA OFF CACHE BOOL "Use RSA for encrypted image upgrade support")
diff --git a/config/check_config.cmake b/config/check_config.cmake
index 7438aa9..dccde53 100644
--- a/config/check_config.cmake
+++ b/config/check_config.cmake
@@ -94,7 +94,7 @@
tfm_invalid_config(TFM_PARTITION_PROTECTED_STORAGE AND NOT TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
# PS only uses the platform partition when PS_ROLLBACK_PROTECTION is ON, but
-# the dependency in the manifest file means the dependency is unconditional
+# the dependency in the manifest file means the dependency is unconditional
tfm_invalid_config(TFM_PARTITION_PROTECTED_STORAGE AND NOT TFM_PARTITION_PLATFORM)
tfm_invalid_config(PS_ROLLBACK_PROTECTION AND NOT PS_ENCRYPTION)
diff --git a/config/config_default.cmake b/config/config_default.cmake
index e12d43f..5e4ffe0 100755
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -46,6 +46,7 @@
set(TFM_PARTITION_LOG_LEVEL TFM_PARTITION_LOG_LEVEL_INFO CACHE STRING "Set default Secure Partition log level as INFO level")
set(TFM_CODE_SHARING OFF CACHE PATH "Enable code sharing between MCUboot and secure firmware")
+set(CONFIG_TFM_BOOT_STORE_MEASUREMENTS ON CACHE BOOL "Store measurement values from all the boot stages. Used for initial attestation token.")
set(TFM_INSTALL_PATH ${CMAKE_BINARY_DIR}/install CACHE PATH "Path to which to install TF-M files")
diff --git a/platform/ext/target/arm/musca_b1/sse_200/config.cmake b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
index 73af640..5a7b8d1 100644
--- a/platform/ext/target/arm/musca_b1/sse_200/config.cmake
+++ b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
# Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon company)
# or an affiliate of Cypress Semiconductor Corporation. All rights reserved.
#
@@ -22,7 +22,7 @@
set(BL0 OFF)
else()
set(MCUBOOT_IMAGE_NUMBER 1 CACHE STRING "Whether to combine S and NS into either 1 image, or sign each seperately")
- set(MCUBOOT_MEASURED_BOOT OFF CACHE BOOL "Add boot measurement values to boot status. Used for initial attestation token")
+ set(CONFIG_TFM_BOOT_STORE_MEASUREMENTS OFF CACHE BOOL "Store measurement values from all the boot stages. Used for initial attestation token.")
set(TFM_PARTITION_PROTECTED_STORAGE OFF CACHE BOOL "Enable Protected Storage partition")
set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF CACHE BOOL "Enable Internal Trusted Storage partition")
set(TFM_PARTITION_CRYPTO OFF CACHE BOOL "Enable Crypto partition")
diff --git a/secure_fw/spm/CMakeLists.txt b/secure_fw/spm/CMakeLists.txt
index 379dc38..f7bda71 100755
--- a/secure_fw/spm/CMakeLists.txt
+++ b/secure_fw/spm/CMakeLists.txt
@@ -102,7 +102,7 @@
PRIVATE
$<$<BOOL:${PLATFORM_SVC_HANDLERS}>:PLATFORM_SVC_HANDLERS>
$<$<CONFIG:Debug>:TFM_CORE_DEBUG>
- $<$<AND:$<BOOL:${BL2}>,$<BOOL:${MCUBOOT_MEASURED_BOOT}>>:BOOT_DATA_AVAILABLE>
+ $<$<AND:$<BOOL:${BL2}>,$<BOOL:${CONFIG_TFM_BOOT_STORE_MEASUREMENTS}>>:BOOT_DATA_AVAILABLE>
$<$<BOOL:${CONFIG_TFM_HALT_ON_CORE_PANIC}>:CONFIG_TFM_HALT_ON_CORE_PANIC>
$<$<BOOL:${TFM_NS_MANAGE_NSID}>:TFM_NS_MANAGE_NSID>
$<$<BOOL:${TFM_PSA_API}>:CONFIG_TFM_CONN_HANDLE_MAX_NUM=${CONFIG_TFM_CONN_HANDLE_MAX_NUM}>